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FIG. 6 



SEARCH REQUEST DATA 



REQUEST TYPE 

(REG I STRAT i ON/CANGELLAT I ON) 
DESTINATION ROUTER IP ADDRESS 



SELF-ROUTER IP ADDRESS 
DESTINATION IP ADDRESS 



PROTOCOL TYPE 



PORT NUMBER 



FIG. 7 



UNAUTHORIZED ACCESS INFORMATION 
MONITORING PERIOD (TIME) 
DESTINATION IP ADDRESS 
PROTOCOL TYPE 



PORT NUMBER 



FIG. 8 




THRESHOLD VALUE DATA 



1CMP 50 TIMES/SEC (1) 
TELNET 3 TIMES/SEC (1) 
FTP 3 TIMES/SEC (1) 
I CMP 80 TIMES/SEC (2) 
FTP 3 TIMES/SEC (2) 



FIG. 9 



BORDER ROUTER INFORMATION 



BORDER ROUTER 


IP 


ADDRESS 


#1 


BORDER ROUTER 


IP 


ADDRESS 


#2 


BORDER ROUTER 


IP 


ADDRESS 


#3 


BORDER ROUTER 


IP 


ADDRESS 


#4 



FIG. 10 



\ CONNECTION ROUTER INFORMATION 



SELF-ROUTER 1 NFORMAT 1 ON 


CONNECTION ROUTER INFORMATION 


MAC ADDRESS #1 


CONNECTION ROUTER IP ADDRESS #1 


VPI/VCI#1 


CONNECTION ROUTER IP ADDRESS #2 


INPUT PORT INFORMATION #1 


CONNECTION ROUTER IP ADDRESS #3 







FIG. 11 



\^ UNAUTHORIZED PACKET INFORMATION 
DESTINATION IP ADDRESS 



PROTOCOL TYPE 



PORT NUMBER 



IP HEADER 



MAC ADDRESS OR VPI/VCI OR 
INPUT PORT INFORMATION 



FIG. 12 



40 UNAUTHORIZED INTRUSION RESPONSE DATA 




DESTINATION IP ADDRESS 



SELF-ROUTER IP ADDRESS 



PROTOCOL TYPE 



PORT NUMBER 



SELF-ROUTER AS NUMBER 



RESPONSE TYPE (DISCOVERING OF 
UNAUTHORIZED ACCESS/MONITORING 
OF UNAUTHORIZED ACCESS) 



FIG. 13 



JUDGEMENT TYPE OF 
THRESHOLD VALUE DATA 



I CMP 50 TIMES/SEC (1) 



TELNET 3 TIMES/SEC (1) 



FTP 3 TIMES/SEC (1) 



I CMP 80 TIMES/SEC (2) 



FTP 3 TIMES/SEC (2) 



ELEMENTS PER JUDGEMENT TYPE 



I CMP 50 TIMES/SEC (1): JUDGED 
TO BE UNAUTHORIZED ACCESS 
WHEN ALL THE FOLLOWING 
CONDITIONS ARE COINCIDENT 
WITH AND CONDITIONS 


UNAUTHORIZED 
ACCESS TRY COUNT 


50 TIMES/SEC 


APPLICATION 
IDENTIFIER 


NO IDENTIFIER 


MESSAGE TYPE 


ICMP ECHO 


SAME USER JUDGEMENT 


NEGATED 


SAME SESSION 
JUDGEMENT 


NEGATED 


INPUT COMMAND 


NO COMMAND 


ALARM FUNCTION 


ALARMED 


MONITORING 
START TIME 


ALL 


MONITORING END TIME 


ALL 




i 


TELNET 3 Ti MES/SEC (1) : 

JUDGED TO BE UNAUTHORIZED ACCESS 

WHEN ALL THE FOLLOWING CONDITIONS 

ARE COINCIDENT WITH AND 

CONDITIONS 


UNAUTHORIZED 
ACCESS 
TRY COUNT 


3 TIMES/SEC 


APPLICATION 
IDENTIFIER 


TELNET 


MESSAGE TYPE 


NOTH 1 NG 


SAME SESSION 
JUDGEMENT 


JUDGED 


SAME USER JUDGEMENT 


JUDGED 


INPUT COMMAND 


PING 


ALARM FUNCTION 


ALARMED 


MONITORING 
START TIME 


01 :00 


MONITORING END TIME 


06:00 


i 


i 

i 



FIG. 15 



( INTRUSION OF ILLEGAL 
^ PARTY INTO HOST 



RECEIVE UNAUTHORIZED OR AUTHORIZED IP PAKCET BY 
'P PAKCET FORWAR I DNG/RECE I V I NG UNIT 300 



FORWARD RECEIVED IP PACKET TO APPLICATION 301 



COLLECT ALL IP PACKET INFORMATION INCLUDING 
ELEMENTS NECESSARY FOR MONITORING UNAUTHORIZED 
ACCESS IN APPLICATION 301 

■ APPLICATION TYPE 

• SESSION INFORMATION 

■ ILLEGAL PARTY IP ADDRESS (spoofing address 

■ MESSAGE TYPE (WHEN IN I CMP) usable} 
•USER ID (WHEN IN TELNET, FTP) usable; 

• TRANSFER FILE NAME (WHEN IN FTP) 

■ TRANSFER FILE SIZE (WHEN IN FTP) 

■ OPERATION DIRECTORY (WHEN IN TELNET, FTP) 

■ INPUT COMMAND NAME (WHEN IN TELNET) ETG 



TRANSMIT OBTAINED INFORMATION TO ACCEPT 302 
OF UNAUTHORIZED INTRUSION MONITORING UNIT 340 



ACCEPT INFORMATION OBTAINED IN APPLICATION BY 
ACCEPT 302 OF UNAUTHORIZED INTRUSION MONITORING 
UNIT 340 



BOOT UNAUTHORIZED INTRUSION MONITORING UNIT 340 



TRANSMIT IP PAKCET INFORMATION TO UNAUTHORIZED 
ACCESS JUDGEMENT PROCESS 303 



( TO UNAUTHORIZED ACCESS 
V JUDGEMENT PROCESS 303 



3 



TO FIG. 16 



FIG. 16 



C UNAUTHORIZED ACCESS JUDGEMENT PROCESS 303 ) 




| RECEIVE ALL ELEMENTS OF P PACKET FROM ACCEPT 302 1 

ADD PRESENT TIME TO ELEMENT FOR MONITORING 
UNAUTHORIZED ACCESS 

COMPARE ACCEPTED ELEMENT WITH ELEMENT FOR | 



MONITORING UNAUTHORIZED ACCESS 




INCREMENT COUNTER VALUE PER JUDGEMENT TYPE IN 



THRESHOLD VALUE DATA 



DELETE (SUBTRACT) COUNTER VALUE OF ELEMENT OLDER 
THAN UNIT TIME (1 SEC. , 1 MIN. ETC) FOR COUNTING 
FROM PRESENT TIME IN ELEMENT FOR CALCULATING 
COUNTER VALUE (EG. :10 TIMES/SEC) PER UNIT TIME SET 
IN THRESHOLD VALUE DATA 



I COMPARE THRESHOLD VALUE 350 PRESET (OR AUTO-SET) BY 




CREATE SEARCH REQUEST DATA 50 BY OBTAINING 
FOLLOWING INFORMATION FROM UNAUTHORIZED PAKCET 



■REQUEST TYPE -* REG I STERAT I ON (UNAUTHORIZED ACCESS \ 
PREVENTION REQUEST) j 

■ DESTINATION ROUTER -» BORDER ROUTER ADDRESS (PREVIOUSLY ! 
REGISTERED IN HOST) OF SELF AUTONOMOUS SYSTEM ; 

■ SELF-ROUTER IP ADDRESS NO ENTRY 

• DESTINATION IP ADDRESS — SELF HOST ADDRESS 

• PROTOCOL TYPE — OBTAIN PROTOCOL TYPE FROM UNAUTHORIZED PACKET 

■ PORT NUMBER -> OBTAIN PORT NUMBER FROM UNAUTHORIZED PACKET 



TRANSMIT SEARCH REQUEST DATA 50 TO IP PACKET 
FORWARDING/RECEIVING UNIT 300 



RECEIVE SEARCH REQUEST DATA AND FORWARD PACKET OF 
SEARCH REQUEST DATA TO DESTINATION ROUTER BY IP 
PACKET FORWARDING/RECEIVING UNIT 300 



(TO BORDER ROUTER RECEIVING SEARCH REQUEST DATA) TO FIG. 17 



-onn 



FIG. 17 

FROM FIG. 16 

(PROCESS OF BORDER ROUTER RECEIVING SEARCH REQUEST data) 



RECEIVE PACKET FROM PORT 106 



TRANSMIT PACKET IP PACKET ROUTING UNIT 100 I 
r™ 



-106 




TRANSMIT SEARCH REQUEST DATA 50 TO ACCEPT PROCESS 104 | 
I OF UNAUTHORIZED INTRUSION MONITOR 180 



104- 



RECEIVE SEARCH REQUEST DATA 50 BY ACCEPT 
PROCESS 104 t 

BOOT UNAUTHORIZED INTRUSION MONITOR 180 



I TRANSMIT SEARCH REQUEST DATA 50 TO INFORMATION 
[REGISTRATION PROCESS 103 



EXECUTE AUTHORIZED 
PACKET PROCESS BY 
IP PAKCET ROUTING 
UNIT 100 



ADDITIONALLY REGISTER FOLLOWING INFORMATION IN 
UNAUTHORIZED ACCESS INFORMATION TABLE 150 BASED ON 
SEARCH REQUEST DATA 50 BY I NFORMATON REGISTRATION 
PROCESS 103 

■ MONITORING TIME — PRESET UNAUTHORIZED INTRUSION 

MONITOR EXECUTION TIME BY COMMAND 162 

■ DESTINATION ADDRESS, PROTOCOL TYPE 
■APPLICATION IDENTIFIER (PROT NUMBER) 



TRANSMIT SEARCH REQUEST DATA 50 TO DESTINATION SEARCH 
PROCESS 102 AND UNAUTHORIZED INTRUSION RESPONSE 
PROCESS 109 



/'TO DESTINATION SEARCH PROCESS 102 ^ 
(WHEN MAKING BORDER ROUTER ADDRESS 
SEARCH REQUEST IN SAME AUTONOMOUS 
SYSTEM) 



1L 



-103 



109 



RECEIVE SEARCH REQUEST DATA 
EXTRACT DESTINATION ADDRESS 
AND TRANSMIT UNAUTHORIZED 
INTRUSION RESPONSE DATA TO 
DESTINATION BY UNAUTHORIZED 
INTRUSION RESPONSE PROCESS 109 
(INFORM THAT UNAUTHORIZED 
ACCESS IS MONITORED IN SELF-ROUTER) 



FIG. 18 



FROM FIG. 17 



DESTINATION SEARCH PROCESS 102 
(WHEN MAKING BORDER ROUTER ADDRESS 
SEARCH REQUEST IN SAME AUTONOMOUS SYSTEM)^ 



102 



RECEIVE SEARCH REQUEST DATA 50 OR UNAUTHORIZED 
PACKET INFORMATION BY DESTINATION SEARCH PROCESS 102 




J_ 



MAKE BORDER ROUTER ADDRESS 
SEARCH REQUEST IN SAME 
AUTONOMOUS SYSTEM (WHEN 
RECEIVING SEARCH REQUEST 
DATA 50) 



_L 



MAKE SOURCE ROUTER ADDRESS 
SEARCH REQUEST OF 
UNAUTHORIZED PACKET (WHEN 
SEARCH REQUEST DATA 50 IS 
NOT RECEIVED) 



REFER TO BORDER ROUTER 
INFORMATION TABLE 151 
REGISTERED BEFOREHAND BY 
COMMAND 160 AND OBTAIN ALL 
IP ADDRESSES OF 
DISTRIBUTE DESTINATIONS 
OF SEARCH REQUEST DATA 50 



(SHOWN IN FIG. 21) 



TRANSMIT OBTAINED BORDER ROUTER ADDRESS AND 
SEARCH REQUEST DATA 50 TO 

TRACE REQUEST INFORMATION DISTRIBUTION PROCESS 101 



TO TRACE REQUEST INFORMATION DISTRIBUTION 
PROCESS 101 (DISTRIBUTION REQUEST TO BORDER 
ROUTER IN SAME AUTONOMOUS SYSTEM) 



TO FIG. 19 



FIG. 19 



FROM FIG. 18 



TRACE REQUEST INFORMATION DISTRIBUTION 
PROCESS 101 (DISTRIBUTION REQUEST TO 
BORDER ROUTER IN SAME AUTONOMOUS SYSTEM) 



101 



IE 



RECEIVE SEARCH REQUEST DATA 50 AND DESTINATION 

ROUTER ADDRESS OBTAINED BY TRACE REQUEST 

I NFORMAT I ON DISTRIBUTION PROCESS 101 



/ CHECK DISTRIBUTION TYPE OF \ 
\ SEARCH REQUEST DATA / 



MAKE DISTRIBUTION REQUEST 
TO BORDER ROUTER IN SAME 
AUTONOMOUS SYSTEM 
(WHEN RECEIVING SEARCH 
REQUEST DATA 50) 



MAKE REQUEST TO SOURCE 
ROUTER OF UNAUTHORIZED 
PACKET (WHEN SEARCH REQUEST 
DATA 50 IS NOT RECEIVED) 



UPDATE FOLLOWING 
INFORMATION OF RECEIVED 
SEARCH REQUEST DATA 50 
• DESTINATION ROUTER ADDRESS 

ENTER OBTAINED ADDRESS 
■ SELF-ROUTER ADDRESS -> 
ENTER SELF-ROUTER ADDRESS 



RECORD UPDATED 
SEARCH REQUEST DATA 



/LOOPED A NUMBER OF TIMES 
(CORRESPONDING TO OBTAINEI 
NADDRESS COUNT? 



(SHOWN IN FIG. 22) 



TRANSMIT UPDATED OR CREATED SEARCH REQUEST 
DATA 50 TO IP PAKCET ROUTING UNIT 100 



[RECEIVE SEARCH REQUEST DATA 50 BY IP PAKCET ROUTING UNIT 100| 



1 TRANSMIT SEARCH REQUEST DATA 50 TO PORT 107 I 



\ l TRANSMIT SEARCH REQUEST DATA 50 TO BORDER ROUTER VIA P0RTJ071 
100 (TO UNAUTHORIZED PACKET MONITORING^ 107 

Estate by border router J T0 F|G - 20 



TATE BY BORDER ROUTER 



FIG. 20 

FROM FIG. 19 



' UNAUTHORIZED PACKET MONITORING^ 
^ STATE BY BORDER ROUTER > 



100 




OBTAIN AND TRANSMIT FOLLOWING "UNAUTHORIZED 
PACKET INFORMATION" ON UNAUTHORIZED PACKET 
TO DESTINATION SEARCH PROCESS 102 

■CONTENT OF UNAUTHORIZED ACCESS INFORMATION TABLE 
150 WHICH IS COINCIDNET WITH ILLEGAL PARTY 

■ IP HEADER 

• MAC ADDRESS OR VPl/VCI OR INPUT PORT INFORMATION 



TRANSMIT UNAUTHORIZED PACKET 
INFORMATION TO DESTINATION 
SEARCH PROCESS 102 



TO DESTINATION SEARCH PROCESS ] EXECUTE AUTHORIZED 
102 (WHEN MAKING SOURCE ROUTER PACKET PROCESS BY 
ADDRESS SEARCH REQUEST OF |p PACKET ROUTING 

^UNAUTHORIZED PACKET) ) \ unit 1QQ 

TO FIG. 21 



FIG. 21 



FROM FIG. 20 



DESTINATION SEARCH PROCESS 102 ^ 
(WHEN MAKING SOURCE ROUTER ADDRESS 
SEARCH REQUEST OF UNAUTHORIZED PACKET) J 



RECEIVE SEARCH REQUEST DATA 50 OR UNAUTHORIZED PACKET 
INFORMATION BY DESTINATION SEARCH PROCESS 102 



MAKE BORDER ROUTER ADDRESS MAKE SOURCE ROUTER ADDRESS 

SEARCH REQUEST IN SAME SEARCH REQUEST OF 

AUTONOMOUS SYSTEM (WHEN UNAUTHORIZED PACKET (WHEN 

RECEIVING SEARCH REQUEST SEARCH REQUEST DATA 50 IS 



IVPl/CPll [MAC ADDRESSl j INPUT PORT INFORMATION 



REFER TO CONNECTION ROUTER INFORMATION TABLE 108 
REGISTERED WITH ADDRESS OF ROUTER CONNECTED TO 
ABOVE ROUTER BY COMMAND 160 AND OBTAIN ROUTER 
ADDRESS (SOURCE ADDRESS OF UNAUTHORIZED PACKET) 
CORRESPONDING TO INFORMATION RECEIVED 



TRANSMIT OBTAINED SOURCE ADDRESS OF UNAUTHORIZED 
PACKET AND UNAUTHORIZED PACKET INFORMATION TO 
TRACE REQUEST INFORMATION DISTRIBUTION PROCESS 101 



(TO TRACE REQUEST INFORMATION DISTRIBUTION 
PROCESS 101 (WHEN MAKING REQUEST TO SOURCE 
^ ROUTER OF UNAUTHORIZED PACKET) , 




DATA 50) 



NOT RECEIVED) (WHEN 
RECEIVING UNAUTHORIZED 
PACKET INFORMATION) 



(SHOWN IN FIG. 18) 




TO FIG. 22 



FIG. 22 

FROM FIG. 21 



/TRACE REQUEST INFORMATION DISTRIBUTION 

PROCESS 101 (WHEN MAKING REQUEST TO SOURCE 
^ROUTER OF UNAUTHORIZED PACKET) 




RECEIVE UNAUTHORIZED PACKET INFORMATION AND 
DESTINATION ROUTER ADDRESS OBTAINED BY TRACE REQUEST 
INFORMATION DISTRIBUTION PROCESS 101 



/ CHECK TYPE OF DISTRIBUTION 
\ OF SEARCH REQUEST DATA 



MAKE DISTRIBUTION REQUEST 
TO BORDER ROUTER IN SAME 
AUTONOMOUS SYSTEM (WHEN 
RECEIVING SEARCH REQUEST 
DATA 50) 



I ~ 

( SHOWN IN FIG. 19 ) 



MAKE REQUEST TO SOURCE 
ROUTER OF UNAUTHORIZED 
PACKET (WHEN SEARCH REQUEST 
DATA 50 IS NOT RECEVIED) 
(WHEN RECEIVING 
UNAUTHORIZED PACKET 
INFORMATION) 



CREATE SEARCH REQUEST DATA 50 BASED ON FOLLOWING 
INFORMATION 

■ REQUEST TYPE— ENTER REGISTRATION 
(UNAUTHORIZED ACCESS PREVENTION REQUEST) 

■ DESTINATION ROUTER ADDRESS— OBTA I NED BY 
DEST I ANT I ON SEARCH PROCESS 102 

■ SELF-ROUTER ADDRESS—ENTER SELF-ROUTER ADDRESS 
■DESTINATION IP ADDRESS-OBTAINED FROM 

UNAUTHORIZED PACKET INFORMATION 

■ PROTOCOL TYPE— OBTAINED FROM UNAUTHORIZED 
PACKET INFORMATION 

« PORT NUMBER — OBTAINED FROM UNAUTHORIZED PAKCET 



TRANSMIT UPDATED OR CREATED 
SEARCH REQUEST DATA 50 TO IP 
PACKET ROUTING PROCESS 100 
AND UNAUTHORIZED INTRUSION 
RESPONSE PROCESS 109 



RECEIVE SEARCH REQUEST DATA 
50 BY IP PAKCET ROUTING 
PROCESS 100 



TRANSMIT SEARCH REQUEST DATA 
50 TO PORT 107 



TRASMIT SEARCH REQUEST DATA 

50 TO BORDER ROUTER 

VIA PORT 107 



'■ 109 



RECEIVE SEARCH REQUEST DATA 50 
EXTRACT DESTINATION ADDRESS AND 
TRANSMIT UNAUTHORIZED INTRUSION 
RESPONSE DATA TO DESTINATION BY 
UNAUTHORIZED INTRUSION RESPONSE 
PROCESS 109 (INFORM THAT 
UNAUTHORIZED INTRUSION IS 
DISCOVERED IN SELF-ROUTER) 



TO BORDER ROUTER RECEIVING \ 
SEARCH REQUEST DATA (REPEATED) J 



